CVE-2023-5752: Mercurial configuration injectable in repo revision when installing via pip
Published Oct 24, 2023
·Updated
Mercurial configuration injectable in repo revision when installing via pip
Affected Software
7 affected componentsFixes available
pip/pip<23.3
23.3
pypa pip<23.3
redhat/pip<23.3
23.3
Microsoft cbl2 python3 3.9.19-13
Microsoft azl3 python3 3.12.3-1
Microsoft azl3 python3 3.12.0-4
IBM Concert Software<=1.0.0-2.2.0
Remediation
Patch Available
Event History
Oct 24, 2023
CVE Published
via MITRE·08:56 PM
Data Sourced
via MITRE·08:56 PM
DescriptionSeverityWeakness
Oct 25, 2023
Data Sourced
via NVD·06:17 PM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·06:32 PM
Nov 21, 2023
Data Sourced
via Red Hat·04:07 AM
DescriptionSeverityAffected Software
Sep 11, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
SeverityAffected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Apr 6, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is CVE-2023-5752?
CVE-2023-5752 is a vulnerability in the pip package manager that allows an attacker to inject arbitrary configuration options during package installation.
2
How does CVE-2023-5752 impact users?
CVE-2023-5752 can be exploited by an attacker to modify the Mercurial configuration during package installation, potentially compromising the integrity and security of the system.
3
What is the severity of CVE-2023-5752?
The severity of CVE-2023-5752 is medium, with a severity value of 5.5.
4
How can I fix CVE-2023-5752?
To fix CVE-2023-5752, users should update their pip package manager to version 23.3 or higher.
5
Where can I find more information about CVE-2023-5752?
You can find more information about CVE-2023-5752 on the GitHub pull request, the Python security-announce mailing list, and the NIST National Vulnerability Database.